ASP.NET Core 5.0 - FIDO2 Credential Devices

Ken Haggerty
Created 07/04/2021 - Updated 08/16/2021 04:00

This article will describe the FIDO2 devices I used to develop the Users Without Passwords Project (UWPP). I will assume you have downloaded the ASP.NET Core 5.0 - Users Without Passwords Project.

Users Without Passwords Project and Article Series

I have developed two separate projects in the Users Without Passwords Project (UWPP) solution. The Users Without Passwords v4 project supports Bootstrap v4 and the new Users Without Passwords project supports Bootstrap v5. The new version is published at Fido.KenHaggerty.Com. You can register a new user with Windows Hello or a FIDO2 security key. Details, screenshots, and related articles can be found at ASP.NET Core 5.0 - Users Without Passwords Project. The details page includes the version change log.

The user must possess at least one FIDO2 authenticator to register and log in. Windows Hello implements authentication with an IR webcam for facial recognition, a fingerprint scanner, or just by setting up and using a PIN. See Learn about Windows Hello and set it up.

Project Evolution

I have been researching this project for over a year. When I started, I just wanted to register a user and then login with a device. With the help of GitHub - scottbrady91/Fido2-Poc and my first yubico security key, I developed an ASP.NET Core 3.1 Razor Pages project which registered and authenticated a user without a password.

My next objective was to implement multiple credentials and credential management per user. At the time, my second FIDO2 device was Windows Hello. The yubico security key uses Elliptic Curve cryptography and Windows Hello uses RSA cryptography. With the help of GitHub - abergs/fido2-net-lib I implemented RSA cryptography.

After I purchased a HyperFIDO Titanium PRO key and a second yubico key, I started tracking the device's AAGUID which stands for “Authenticator Attestation Globally Unique ID”. I had issues trying to store and verify the signature counter. The signature counter should increment with each authentication. I published that version of the project to and emailed HyperFIDO support including the AAGUID asking for help. The kind folks at Hypersceu analyzed the published project and replied letting me know I was not decoding big-endian values properly. Even the AAGUID which is big-endian didn't match. I was embarrassed but thankful I had not released that version.

I have 2 yubico keys with NFC (Security Key NFC), a HyperFIDO Titanium PRO and a HyperFIDO PRO MINI. My laptop has a fingerprint scanner which works with Windows Hello. I even bought an IR webcam to test facial recognition. Probably my most useful device is a male micro USB to female USB adapter because my phone doesn't have NFC.

Works with FIDO2 Devices
Device AAGUID Purchased
Windows Hello 08987058-cadc-4b81-b6e1-30de50dcbe96 Windows 10 Install
Security Key NFC 6d44ba9b-f6ec-2e49-b930-0c8fe920cb73 July 2019
Security Key NFC 149a2021-8ef6-4133-96b8-81f8d5b7f1f5 March 2020
HyperFIDO Titanium PRO 9f77e279-a6e2-4d58-b700-31e5943c6a98 June 2020
HYPERFIDO Pro Mini 9f77e279-a6e2-4d58-b700-31e5943c6a98 March 2021
Kaysuda CA20 Face Recognition USB IR Camera Windows Hello March 2021

Instead of debugging Web Authentication in your website or app with physical authenticators, use the WebAuthn tool in Microsoft Edge DevTools to create and interact with software-based virtual authenticators. See Emulate authenticators and debug WebAuthn in Microsoft Edge DevTools.

Dev Tools (F12) has a WebAuthn tab where you can enable the virtual authenticator environment then create virtual authenticators.

Option Value Details
Protocol ctap2 or u2f The protocol the virtual authenticator uses for encoding and decoding
Transport usb, nfc, ble, or internal The virtual authenticator simulates the selected transport for communicating with clients in order to obtain an assertion for a specific credential. For more information, navigate to Authenticator Transport Enumeration
Supports resident keys Turn on (or off) using the checkbox Turn on if your web app relies on resident keys (also known as client-side discoverable credentials). For more information, navigate to Resident Key Requirement Enumeration.
Supports user verification Turn on (or off) using the checkbox Turn on if your web app relies on local authorization using gesture modalities like touch plus pin code, password entry, or biometric recognition. For more information, navigate to User Verification

When you register a user or add a new user credential with a virtual authenticator, the credential id is listed. The signature count updates with each login. The credential ids do not persist if the environment is disabled then enabled or Dev Tools is closed then opened. You can export a credential as a pem file but I have not found a way to import the credential.

Virtual Authenticators With Credentials
Virtual Authenticators After Reset
Manage Virtual Credentials
Manage Virtual Credentials Mobile

Article Tags:

Authorization FIDO Validation

Comment Count = 0

Please log in to comment.

Login Register
Logged in users receive web notifications.
Web Notifications